analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
URL:

http://elcisneblanco.com/tmp/banking/details/bank.php

Full analysis: https://app.any.run/tasks/955fd2d8-2123-4bcc-91de-08e760e6a545
Verdict: Malicious activity
Analysis date: June 19, 2019, 16:26:30
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Tags:
opendir
Indicators:
MD5:

4DE491700DFB5A30481DC45F7DA6D41D

SHA1:

EAFB56CE1F7C362276609964A8A12E0CE06A4B9A

SHA256:

ACD4B6F116C16E3A6A41933825D694D104F57A55F55BCCC757669734CA0DD18E

SSDEEP:

3:N1KbIbiJiGGIKuMiMJNHtxn:C6iJi3ITMRNr

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • Changes the autorun value in the registry

      • WScript.exe (PID: 2212)
      • wscript.exe (PID: 4024)
      • wscript.exe (PID: 3964)

    • Writes to a start menu file

      • WScript.exe (PID: 2212)
      • wscript.exe (PID: 4024)
      • wscript.exe (PID: 3964)

  • SUSPICIOUS

    • Creates files in the user directory

      • WScript.exe (PID: 2212)
      • wscript.exe (PID: 4024)

    • Application launched itself

      • WScript.exe (PID: 2212)
      • wscript.exe (PID: 3964)

    • Executes scripts

      • WScript.exe (PID: 2212)
      • wscript.exe (PID: 3964)

  • INFO

    • Reads Internet Cache Settings

      • iexplore.exe (PID: 3452)
      • iexplore.exe (PID: 2956)
      • iexplore.exe (PID: 3772)

    • Creates files in the user directory

      • iexplore.exe (PID: 3452)
      • iexplore.exe (PID: 2956)

    • Reads internet explorer settings

      • iexplore.exe (PID: 3452)

    • Application launched itself

      • iexplore.exe (PID: 2956)

    • Manual execution by user

      • WScript.exe (PID: 2212)
      • WinRAR.exe (PID: 3180)

    • Changes internet zones settings

      • iexplore.exe (PID: 2956)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
47
Monitored processes
8
Malicious processes
3
Suspicious processes
0

Behavior graph

Click at the process to see the details
start iexplore.exe iexplore.exe iexplore.exe winrar.exe no specs wscript.exe wscript.exe wscript.exe wscript.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
2956"C:\Program Files\Internet Explorer\iexplore.exe" http://elcisneblanco.com/tmp/banking/details/bank.phpC:\Program Files\Internet Explorer\iexplore.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3452"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2956 CREDAT:71937C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
LOW
Description:
Internet Explorer
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3772"C:\Program Files\Internet Explorer\iexplore.exe" SCODEF:2956 CREDAT:14337C:\Program Files\Internet Explorer\iexplore.exe
iexplore.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Internet Explorer
Exit code:
0
Version:
8.00.7600.16385 (win7_rtm.090713-1255)
3180"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ow -ver -- "C:\Users\admin\Downloads\BANK DETAILS CONFIRMATION_PDF.zip" "C:\Users\admin\Downloads\BANK DETAILS CONFIRMATION_PDF\"C:\Program Files\WinRAR\WinRAR.exeexplorer.exe
User:
admin
Company:
Alexander Roshal
Integrity Level:
MEDIUM
Description:
WinRAR archiver
Exit code:
0
Version:
5.60.0
2212"C:\Windows\System32\WScript.exe" "C:\Users\admin\Downloads\BANK DETAILS CONFIRMATION_PDF\BANK DETAILS CONFIRMATION_PDF - Copy.js" C:\Windows\System32\WScript.exe
explorer.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
0
Version:
5.8.7600.16385
4024"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\ljSULvdTZD.js"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
3964"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\BANK DETAILS CONFIRMATION_PDF - Copy.js"C:\Windows\System32\wscript.exe
WScript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Version:
5.8.7600.16385
2592"C:\Windows\System32\wscript.exe" //B "C:\Users\admin\AppData\Roaming\ljSULvdTZD.js"C:\Windows\System32\wscript.exewscript.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Microsoft ® Windows Based Script Host
Exit code:
1
Version:
5.8.7600.16385
Total events
1 906
Read events
1 424
Write events
0
Delete events
0

Modification events

No data
Executable files
0
Suspicious files
3
Text files
29
Unknown types
5

Dropped files

PID
Process
Filename
Type
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\H6QNMHE9\favicon[1].ico
MD5:
SHA256:
2956iexplore.exeC:\Users\admin\AppData\LocalLow\Microsoft\Internet Explorer\Services\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico
MD5:
SHA256:
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.iniini
MD5:4A3DEB274BB5F0212C2419D3D8D08612
SHA256:2842973D15A14323E08598BE1DFB87E54BF88A76BE8C7BC94C56B079446EDF38
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0GB1FTM2\errorPageStrings[1]text
MD5:1A0563F7FB85A678771450B131ED66FD
SHA256:EB5678DE9D8F29CA6893D4E6CA79BD5AB4F312813820FE4997B009A2B1A1654C
2956iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\MSHist012019061920190620\index.datdat
MD5:8EAB1E489F17498BADB415308841D084
SHA256:2AC83D30DEB9937BE9874F5421100B5D5DB4B01D43A2F60A9C68E91E763ED848
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.datdat
MD5:532DA8F79B647E806ABF9A34E82551DB
SHA256:216B3B45D53D2CD89EDC747E0A12B303D670A44F1D57A4EBAE701B1730CC43CB
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O2LCSF69\bank[1].htmhtml
MD5:BBBF8DAAFBBA2F086075BEFBF38E6327
SHA256:0305B9CDAE8792F5E096118FBD44C14DBEFA4B771F17BCF64DE68ED62F21285E
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RAEE57Z7\dnserror[1]html
MD5:68E03ED57EC741A4AFBBCD11FAB1BDBE
SHA256:1FF3334C3EB27033F8F37029FD72F648EDD4551FCE85FC1F5159FEAEA1439630
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\History\Low\History.IE5\index.datdat
MD5:EE24E79909F20BBAF5164EDF142EF9AA
SHA256:C2F3B1ECE19678DDBFDE63908A4B00686C2FE806BC8213FA50DB8A837B1985B2
3452iexplore.exeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RAEE57Z7\noConnect[1]image
MD5:3CB8FACCD5DE434D415AB75C17E8FD86
SHA256:6976C426E3AC66D66303C114B22B2B41109A7DE648BA55FFC3E5A53BD0DB09E7
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
4
TCP/UDP connections
12
DNS requests
7
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
3452
iexplore.exe
GET
200
192.185.26.103:80
http://elcisneblanco.com/tmp/banking/details/bank.php
US
html
222 b
unknown
3772
iexplore.exe
GET
200
192.185.163.240:80
http://futuroformacion.es//moodle/calendar/amd/BANK%20DETAILS%20CONFIRMATION_PDF.zip
US
compressed
35.0 Kb
unknown
2956
iexplore.exe
GET
200
192.185.26.103:80
http://elcisneblanco.com/favicon.ico
US
image
3.50 Kb
unknown
2956
iexplore.exe
GET
200
204.79.197.200:80
http://www.bing.com/favicon.ico
US
image
237 b
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
2956
iexplore.exe
204.79.197.200:80
www.bing.com
Microsoft Corporation
US
whitelisted
3964
wscript.exe
185.247.228.159:1765
www.tcoolsoul.com
malicious
2956
iexplore.exe
192.185.26.103:80
elcisneblanco.com
CyrusOne LLC
US
unknown
3772
iexplore.exe
192.185.163.240:80
futuroformacion.es
CyrusOne LLC
US
unknown
3452
iexplore.exe
192.185.163.240:80
futuroformacion.es
CyrusOne LLC
US
unknown
3452
iexplore.exe
192.185.26.103:80
elcisneblanco.com
CyrusOne LLC
US
unknown

DNS requests

Domain
IP
Reputation
elcisneblanco.com
  • 192.185.26.103
unknown
www.bing.com
  • 204.79.197.200
  • 13.107.21.200
whitelisted
futuroformacion.es
  • 192.185.163.240
unknown
dns.msftncsi.com
  • 131.107.255.255
shared
brothersjoy.nl
unknown
www.tcoolsoul.com
  • 185.247.228.159
malicious

Threats

PID
Process
Class
Message
3772
iexplore.exe
Misc activity
ET INFO SUSPICIOUS Single JS file inside of ZIP Download (Observed as lure in malspam campaigns)
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2024 ANY.RUN LLC. ALL RIGHTS RESERVED
ANY.RUN
Reports
http://elcisneblanco.com/tmp/banking/details/bank.php